On 02/12/2014 01:07 PM, Alexander Bokovoy wrote:
> On Wed, 12 Feb 2014, Tamas Papp wrote:
>> hi All,
>>
>> $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w
>> `cat pw`
>> ldap_bind: Referral (10)
>>    referrals:
>>        ldap:///uid=USER,cn=users,cn=accounts,dc=foo
>>
>>
>>
>>
>> [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from
>> ::1 to ::1
>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND
>> dn="uid=USER,cn=users,cn=compat,dc=foo" method=128 version=3
>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97
>> nentries=0 etime=0
>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1
>>
>>
>> System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20).
>> Non-compat authentication works fine and authorization against compat is
>> also fine.
>>
>>
>> What is err=10?
> slapi-nis module in RHEL 6.x (and CentOS) does not support bind against
> compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta).
>
> In older versions slapi-nis issues LDAP referral to the original LDAP
> entry with the hope that an LDAP client would follow it and perform a
> bind against the referral.
>
> Unfortunately, there is virtually no client software that supports the
> referral on bind operation.
>
> In short, you cannot do LDAP bind against compat tree in RHEL before
> 7.0.

I forgot to mention, the client would be Ubuntu 12.04 and it
works/worked with IPA 3.3 and F20.
If I understand correctly, you're referring to the client side, are you?
Or it is true for the server side as well?


Thanks,
tamas

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to